Former Systems Administrator Gets Prison Time

A former systems administrator who was on the job at a Pennsylvania clinic group for only about three weeks has been sentenced to 27 months in federal prison after he was convicted in a case involving wire fraud and hacking computers.

The former employee used clinic credentials to delete computer settings and data - including patient information - as well as to make fraudulent technology purchases, prosecutors say.

The case highlights the importance of managing administrative credentials, especially when employees leave an organization.

The Department of Justice says Brandon Coughlin, a 29-year-old resident of Texas, "intentionally hacked and damaged" 13 servers operated by Pennsylvania-based Centerville Clinics Inc. and engaged in a scheme to defraud the clinics group by using the organization's purchase card to order merchandise from Staples.

Abusing Credentials

Indictment documents say that on or about Jan. 16, 2013, Coughlin was hired as the "in-house systems administrator" of Centerville Clinics' computer systems, and "was aware of the administrative credentials necessary to gain access, modify settings and control all computer systems at the healthcare entity."

On Feb. 4, 2013, Coughlin was asked to resign and did so. Other court documents indicate Coughlin was asked to leave because his former employer, Home Depot, allegedly pressed charges related to fraud.

Nonetheless, the indictment document says the clinic groups' administrative credentials to its computer systems "and the web-based email server" were not changed after Coughlin left the employment of the clinic.

About two days after ending his job at the clinics, "Coughlin created an undisclosed new administrative account giving him full access and control of [the clinics'] computer system, without the knowledge, consent or authorization of the healthcare entity's management officials," the indictment says.

The clinics' system administrator's credentials "were not changed until mid-2015, well after the defendant left the employ of the healthcare entity," the indictment says.

It was during that time between when he left his job at the clinics and before the credentials were changed, that prosecutors say Coughlin committed his crimes.

Computer Hacking

From about Feb. 6, 2013 through about Sept. 18, 2013, Coughlin "knowingly caused the transmission of a program, information, code, and command, and, as a result of such conduct, intentionally caused damage without authorization to protected computers belonging to [the clinics]," indictment papers indicate.

Coughlin "accessed the protected computer servers of [the clinics] using the new undisclosed and unauthorized administrative account, disabled all administrative accounts needed to control any and all of the protected computer servers of [the clinics] and deleted users' network shares, business data, and patient health information data, including patient medical records from those protected computer servers," the court documents say.

Prosecutors say the administrative portal of the email server of the clinic group "could be reached via the internet from anywhere in the country and the person using the administrative credential could access and read any email in any users' email accounts and also implement administrative rules on users accounts to delete emails from certain senders and forward incoming emails to other email accounts."

The DOJ says Coughlin caused a financial loss of approximately $60,000 for the clinics and also caused the organization "to cease its medical treatment of patients until its system was restored."

In addition to breaching and tampering with the clinics' computer systems to change user accounts and delete data, federal prosecutors say Coughlin used the clinics' credentials and the purchase card account information to gain access to the clinics' Staples account and to fraudulently purchase several Apple tablet computers.

The U.S. Department of Health and Human Services also does not list Centerville Clinics Inc. or CCI as having reported any data breaches impacting protected health information for 500 or more individuals on its HIPAA Reporting Breach Tool website, commonly called the "wall of shame."

In a statement provided to Information Security Media Group, Centerville Clinics says it hired an outside firm to analyze the impact of Brandon Coughlin's unauthorized access to its systems. "We reviewed the facts under the four-part breach analysis under HIPAA and concluded that since there was no evidence that the electronic medical record database or any protected health information contained in the database was viewed, and it was mathematically impossible for the database to have been downloaded during the brief period of unauthorized access, there was a low probability that the PHI has been compromised, and that no HIPAA breach occurred," the statement notes

Lessons to Learn

"The most dangerous employee we have from a cybersecurity perspective is someone who has elevated privileges and, in particular, those involved in managing the network, applications and data," McMillan says.

"They are also all too often overlooked in monitoring and audit efforts. The overwhelming majority if IT workers are hard-working dedicated professionals like any other group. The challenge is that when it comes to cybersecurity, they present the greatest risk in the user population and our protections and audit activities need to reflect the risk."

Data access abuses committed by terminated employees are a problem for many entities that are slow to adopt more robust security practices, McMillan says.

"It is probably way more common than we'd like because discipline around security practices is not always where it should be. We know people leave organizations ... and are not always removed from the system as efficiently or timely as they should be," he says.

What makes the Coughlin case unusual, however, is that his tenure at the entity was so brief.

"The activities that Coughlin engaged in that allowed him to go undetected should not have been possible, or at the very least should have generated an auditable event," McMillan says "Had that happened he might have been discovered earlier. The lesson is simple. The minute they join, [employees should be] educated on their responsibilities, monitored and when they leave [their credentials] removed immediately."

About the Author

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site, and played a lead role in the launch of InformationWeek's healthcare IT media site.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;

Enter your email address to reset your password

Already have anISMG account?

Forgot Your Password Message:

Contact Us

Already have anISMG account?

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.com, you agree to our use of cookies.